Kernel-mode anticheat is a huge nope

[seed]

I am so far quite curious about the recent discoveries.

 

I wonder what else is there after more fiddling and experimenting.

[icecoldduke]

Just now, seed said:

I am so far quite curious about the recent discoveries.

 

I wonder what else is there after more fiddling and experimenting.

Your safer bet is to try and get the multiplayer bits working again with v1.00, because we have the non denuvo executable, then trying to take apart the anti cheat bits in 1.01. 

[ZalgoC0meth]

11 minutes ago, icecoldduke said:

Just because you terminate the job, and the game crashes out, doesn't necessarily mean the anti cheat job is doing work, even if the job is active. Is it sending network traffic back to AWS when your playing singleplayer?

 

I've got TCP/IP monitoring on both System and Doom Eternal executable on one display, and game running on the other one. So, the driver itself is loaded through the system kernel; there's a variety of ports opening and closing via DoomEternalx64vk.exe, but the thing is that the bulk of these connections are opening in between rounds, end of matches etc. And different instances of AWS between the two.

 

As was noted before, I think the best way to really figure this out is to have people test it. I'm using a 32" Samsung smart TV as an external display, and on that the furthest I can stretch my graphical settings is "high" across the board. 99% of my matches have my framerate averaging 58 FPS (com_showfps "2"). I can't say I have seen any appreciable performance hit on Battle Mode either way; now in campaign in Super Gore Nest I encountered like one or two spots where I briefly dipped below 40 FPS, but it was so brief I wouldn't have noticed had I not been keeping an eye on the framerate readout.

 

So yeah, tl;dr

Run some TCP/IP monitoring tools (ProcessExplore / SysInternals suite is p. good), kill the Denuvo thread inside your Doom Eternal exe while it's running, don't manually close any Denuvo network connections, monitor traffic on both System and Doom Eternal

 

I have some pictures here showing how I am arranged between the 2 displays plus a screencap; the program being used is Process Explorer (https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer)

[icecoldduke]

What happens if you just block the connection between Denuvo anti tamper and AWS? Does the game still run?

[Edward850]

If you just arbitrarily block AWS, you're more likely going to block your connection to their dedicated servers (I believe they are hosted on AWS), which would kind of defeat the point of trying to play multiplayer.

[ZalgoC0meth]

19 minutes ago, icecoldduke said:

What happens if you just block the connection between Denuvo anti tamper and AWS? Does the game still run?

 

Well, it depends on how you do it from what I can see thus far. Inside the NT Kernel, there are several instances of the Denuvo driver across about 6 threads, and they seem to frequently come and go (which I'm theorizing could possibly cause some performance issues for some people on account of how rapidly they're being created and destroyed). If you go through the TCP/IP side of things and manually close the connections on the kernel side, the second you try to connect to Battle Mode you get a CTD with no dialog whatsoever. It's just toast.

 

One thing you could possibly try is using the resolved address of the Amazon server communicating with Denuvo and setting it to redirect traffic to localhost in your hosts file. I haven't tried this yet, though. It's possible that could yield the same result as manually closing the system connection.

 

E: and this method by itself, it only works for as long as Denuvo is communicating with this particular server. The target host changes frequently.

 

11 minutes ago, Edward850 said:

If you just arbitrarily block AWS, you're more likely going to block your connection to their dedicated servers (I believe they are hosted on AWS), which would kind of defeat the point of trying to play multiplayer.

 

I'm actually not 100% sure either way. I guess it would depend on which one you block, because I think the server taking the Denuvo data is a different one than whatever is hosting the matches.

[icecoldduke]

15 minutes ago, Edward850 said:

If you just arbitrarily block AWS, you're more likely going to block your connection to their dedicated servers (I believe they are hosted on AWS), which would kind of defeat the point of trying to play multiplayer.

Denuvo and id software's match making service probably both run in AWS, but as @ZalgoC0meth mentioned it would be worth trying setting the denuvo AWS address and redirect it to localhost, and see if it works or not. That would be a shit user experience if the game wouldn't let you go through the match making process if the denuvo anti tamper servers were down or heavily congested. 

[kristus]

I was waiting for Doom Eternal to drop Denuvo before I bought it. But I doubt I'll ever end up buying it now.

[Caleb13]

I see a few people are manipulating/killing the Denuvo threads etc. There is an utility that can automate such tasks, it's named Process Lasso:

 

https://bitsum.com/

 

It's paid software, but even the free version can do lots of useful stuff. I mostly use it to automatically limit processor affinity to 1 physical CPU for older programs (I have Threadripper 1950X and lots of older programs just aren't made with 16C/32T systems in mind).

[cybdmn]

9 hours ago, ZalgoC0meth said:

I mean...why?

 

I guess, Denuvo/Zenimax does not host the infrastructure for DAC by themselfes, instead they rented Servers on Amazons cloud. Nothing to complain about. But what @Quasar mentioned, using a deprecated API is reckless.

[printz]

I'm afraid this is going to kill off the PC as a gaming computer. Neither consoles nor Google Stadia have this problem. And it will become attractive to try them if I really want to play such games. So there'll be less and less certainty about playing the game on PC. This will also lead to lower sales of specialized PC hardware such as powerful GPU. And overall degradation of gaming challenge quality, because, let's say Doom 2016: this game is way too hard to play from a handheld controller compared to keyboard+mouse!

 

I read some nefarious examples of what Anti-Cheat drivers can do, such as this one:

 

[Graf Zahl]

3 minutes ago, printz said:

I'm afraid this is going to kill off the PC as a gaming computer.

 

 

If that isn't the master plan after all - consoles and online services do not have these piracy "issues" so they are a lot more attractive to the developers. Whether this will work out is a different matter.

[Foebane72]

I had no idea PC gaming, in terms of the most modern games, had gotten so bad. I've had a whole bunch of very old games on my Steam, most of them pre-Steam itself, but I'm bored of those, but I'm getting too nervous now to try any potential games that may interest me. Actually, it's not really a problem, as nothing I see these days appeals to me at all. Doom Eternal was the only exception, but even that's buggered for good now.

 

[Vic Vos]

14 minutes ago, Graf Zahl said:

consoles and online services do not have these piracy "issues" so they are a lot more attractive to the developers

And there's also that push for cloud gaming that's been happening lately (Stadia, Orion). I only hope they go the way of OnLive.

[Caleb13]

1 hour ago, Vic Vos said:

And there's also that push for cloud gaming that's been happening lately (Stadia, Orion). I only hope they go the way of OnLive.

They're not very usable now, but they will be. Like I said in my older post:

 

"The push towards this is already evident: one of the main 5G wireless selling points is that the latency will be reduced 100 times after they roll out the 40/60 GHz beamforming mode. That will be crucial to improve the responsitivity of the [remote deskop/cloud] terminals."

 

Also, don't forget the first cloud-based devices (Chromebooks) had been released back in 2011 already, so this is well underway. However, it is just a small part of much bigger global push towards "everything-as-service" bussiness model, from cars and hi-tech devices down to ordinary things like TVs or microwave ovens. By the never-ending rental fees, the corporations will be able extract more money from consumers than they can now with one-time purchases. But the hidden ultimate reason for this is more power, more control over the populace. And >90% of people are happily speeding towards it...

[Master O]

52 minutes ago, Caleb13 said:

They're not very usable now, but they will be. Like I said in my older post:

 

"The push towards this is already evident: one of the main 5G wireless selling points is that the latency will be reduced 100 times after they roll out the 40/60 GHz beamforming mode. That will be crucial to improve the responsitivity of the [remote deskop/cloud] terminals."

 

Also, don't forget the first cloud-based devices (Chromebooks) had been released back in 2011 already, so this is well underway. However, it is just a small part of much bigger global push towards "everything-as-service" bussiness model, from cars and hi-tech devices down to ordinary things like TVs or microwave ovens. By the never-ending rental fees, the corporations will be able extract more money from consumers than they can now with one-time purchases. But the hidden ultimate reason for this is more power, more control over the populace. And >90% of people are happily speeding towards it...

 

"Meet the new boss ... same as the old boss."

[ZalgoC0meth]

4 hours ago, printz said:

I'm afraid this is going to kill off the PC as a gaming computer. Neither consoles nor Google Stadia have this problem. And it will become attractive to try them if I really want to play such games. So there'll be less and less certainty about playing the game on PC. This will also lead to lower sales of specialized PC hardware such as powerful GPU. And overall degradation of gaming challenge quality, because, let's say Doom 2016: this game is way too hard to play from a handheld controller compared to keyboard+mouse!

 

I read some nefarious examples of what Anti-Cheat drivers can do, such as this one:

Christ Almighty.

Y'know, I liked CroTeam's approach to DRM and anti-cheat: active trolling measures. When Serious Sam 3 launched, people that pirated the game were posting videos showing the game taking over their mouse, spawning God mode scorpions to come grief you, just making the game unplayable without having any actual permanent consequences. Why can't we have these less harmful measures instead of "You have a disassembler open in the background? Enjoy your ban!"?

Sigh.

 

I've kind of been wondering if I was going to be subject to that kind of fuckery on account of opening the game executable, forcibly terminating threads and whatnot...so far I seem to be in the green!

[Man of Doom]

On 5/18/2020 at 2:33 PM, NoXion said:

I don't understand why they would do that. At least with revenue enhancement bullshit, the motive is obvious. But this? That cliche about killing the goose that lays the golden eggs comes to mind.

Which is why the fable of the golden goose exists in the first place. 
 

This sort of practice is surprisingly common especially within the video game industry; the second the bean counters see if that even their most profitable franchise starts to fall below expectations (and even if it’s because of a decision they exclusively made), that franchise is no longer deemed profitable and it’s decided that the franchise in question is shelved, possibly for good (along with the development studio if things get REALLY bad).

[Mr.Rocket]

I honestly haven't had a chance to get Doom Eternal yet and after hearing all this I got to thinking, No I don't want to get a game that has issues like this, it's totally uncalled for... and then I watched, well listened to this video:

 

 

So, on second thought, I'll get the game!

But will wait till they get things straighten out. ;)

 

 

[SulfurOccult]

So... not to diminish peoples' legitimate concerns, but speaking for myself the game hasn't suffered any negative technical issues since the update and I appreciate the anti-cheat at least in theory. Am I the only person who doesn't think its that big of a deal, even if I can understand why people disapprove of the kernel mode driver method?

[Dark Pulse]

7 hours ago, printz said:

I'm afraid this is going to kill off the PC as a gaming computer. Neither consoles nor Google Stadia have this problem. And it will become attractive to try them if I really want to play such games. So there'll be less and less certainty about playing the game on PC. This will also lead to lower sales of specialized PC hardware such as powerful GPU. And overall degradation of gaming challenge quality, because, let's say Doom 2016: this game is way too hard to play from a handheld controller compared to keyboard+mouse!

 

I read some nefarious examples of what Anti-Cheat drivers can do, such as this one:

 

...Yikes, this is all sorts of fucked. Now that's not even banning on evidence, that's banning on mere suspicion. And if he didn't even have IDA attached to the game EXE or any game components, that's no reason to ban at all!

 

Also, sorry, I couldn't resist.

14 hours ago, Maes said:

Edit: here's an old post I made on the subject.

User title checks out.

[ZalgoC0meth]

12 minutes ago, SulfurOccult said:

So... not to diminish peoples' legitimate concerns, but speaking for myself the game hasn't suffered any negative technical issues since the update and I appreciate the anti-cheat at least in theory. Am I the only person who doesn't think its that big of a deal, even if I can understand why people disapprove of the kernel mode driver method?

So we are both in the same cohort of people not suffering from game-wrecking performance issues; I can tell that performance takes a slight hit in some places, but it really is so negligible that it is hardly a concern.

 

What does concern me is the insane amount of ports opening up inside the kernel itself. Anywhere from 6 - 20 connections on and off. That really seems like a big risk to be taking for anti-cheat software. I can sympathize with devs to some degree the pragmatic need to operate in that memory space if the hacks they hope to catch are also operating there, but it isn't like that's the only way to catch them, it's probably just the quickest. Still, it's risky. 

 

That said, now that I can monitor which hosts are connecting to my computer via these processes, I feel a little less concerned, and playing Doom again is nice, but I would love it if I didn't have to keep a second display open with network and process diagnostics tools to have a little more peace of mind. That is a big time failing on id and Bethesda's part. Major fuck up.

[ZalgoC0meth]

9 hours ago, icecoldduke said:

Your safer bet is to try and get the multiplayer bits working again with v1.00, because we have the non denuvo executable, then trying to take apart the anti cheat bits in 1.01. 

Were it that simple it would be great, but with 3 different client-server APIs (Steam, PlayFab, Bethesda.NET) requiring persistent connections, a deprecated build would probably not play nice with their parity checks; indeed, you cannot even log in to Bethesda.NET through Doom Eternal if your client version does not match (you will be prompted to update your client before you're allowed to log in).

 

At this point, I think Denuvo's Achilles' Heel might be in a contingency you touched on earlier, that the client-side driver not interfere with operation in case of an outage or loss of service from Denuvo servers. If that exists, there's got to be a way to exploit that.

Edited May 20, 2020 by ZalgoC0meth

[Mr. Duk]

5 hours ago, Caleb13 said:

...it is just a small part of much bigger global push towards "everything-as-service" bussiness model, from cars and hi-tech devices down to ordinary things like TVs or microwave ovens. By the never-ending rental fees, the corporations will be able extract more money from consumers than they can now with one-time purchases. But the hidden ultimate reason for this is more power, more control over the populace. And >90% of people are happily speeding towards it...

 

Sadly I completely agree with you. I would honestly pay extra money to just buy something outright. Of course, I'd want a guarantee of "no future BS or your money back, plus interest."

[Cacodemon345]

The admin of r/Doom Discord shared a log, which indicates that the driver checks for existence of the exec in memory every 5 seconds.

[Mr. Freeze]

According to Steam Achievements, 2.8% of all players got the "Play 25 BATTLEMODE matches" achievement. 0.8% got the "Kill 200 Demons in BATTLEMODE" achievement. So this entire anticheat fiasco was created to preserve the sanctity of a mode the overwhelming majority of the playerbase doesn't give a fuck about. 

 

lmao

[ZalgoC0meth]

25 minutes ago, Cacodemon345 said:

The admin of r/Doom Discord shared a log, which indicates that the driver checks for existence of the exec in memory every 5 seconds.

That would be congruent with the amount of Denuvo AC threads being created in the System Kernel; they come and go so quickly you can hardly read the text in the field

[Cacodemon345]

4 hours ago, ZalgoC0meth said:

Y'know, I liked CroTeam's approach to DRM and anti-cheat: active trolling measures. When Serious Sam 3 launched, people that pirated the game were posting videos showing the game taking over their mouse, spawning God mode scorpions to come grief you, just making the game unplayable without having any actual permanent consequences.

The entire game was also speedran with the DRM triggered. Still wouldn't play it, as I don't think the original games are that great, with poor replay value IMO.

[NoXion]

51 minutes ago, Mr. Freeze said:

According to Steam Achievements, 2.8% of all players got the "Play 25 BATTLEMODE matches" achievement. 0.8% got the "Kill 200 Demons in BATTLEMODE" achievement. So this entire anticheat fiasco was created to preserve the sanctity of a mode the overwhelming majority of the playerbase doesn't give a fuck about. 

 

lmao

I think this point really needs to be emphasised. I don't think the multiplayer numbers for the Bethesda launcher version are any better, but is there any way of confirming this?

Because if it turns out that they did this to the game when less than 10% of the total playerbase plays the multiplayer, then that is a travesty and truly worthy of the outcry that adding DAC has brought about.

[Graf Zahl]

7 hours ago, Caleb13 said:

However, it is just a small part of much bigger global push towards "everything-as-service" bussiness model, from cars and hi-tech devices down to ordinary things like TVs or microwave ovens. By the never-ending rental fees, the corporations will be able extract more money from consumers than they can now with one-time purchases. But the hidden ultimate reason for this is more power, more control over the populace. And >90% of people are happily speeding towards it... 

 

And then some startup will begin producing hardware that doesn't come with strings attached and the playing field will be levelled again. You can only push those customer hostile business models in non-essential areas where the customer can say 'no' and just boycott the product - and serious competition is hard to come by - in every other field the natural competition will prevent this - because not doing it would be a huge competetive advantage and some manufacturer will take that advantage.

 

There have been countless failures over the decades when trying to push customer unfriendly products into the market, because the customers wouldn't accept them. Case in point: https://en.wikipedia.org/wiki/DIVX

That's a textbook case of trying to establish something anti-consumer that was just flat out wiped away by a more customer friendly alternative. The thing with services is that they have to provide some genuine advantages over a purchasable product, and outside of computing that's very hard to achieve.

And just in case you haven't noticed. Leasing cars has been a business for decades - but it never eliminated the selling-cars market.